var-200909-0304

Vulnerability from variot

Unspecified vulnerability in Cisco NX-OS before 4.0(1a)N2(1), when running on Nexus 5000 platforms, allows remote attackers to cause a denial of service (crash) via an unspecified "sequence of TCP packets" related to "TCP State manipulation," possibly related to separate attacks against CVE-2008-4609. Cisco Nexus 5000 is prone to a denial-of-service vulnerability when handling specially crafted TCP packets. An attacker can exploit this issue to cause the device to crash, denying service to legitimate users. Devices running versions prior to NX-OS 4.0(1a)N2(1) are vulnerable. This issue is documented by Cisco Bug ID CSCsv08059. The Cisco SSLVPN function is an enhanced version of the WebVPN function, allowing users anywhere on the Internet to remotely access corporate sites. If a specially crafted HPPTS packet is received, the device configured with the SSLVPN function may be overloaded or hang. The default TCP port number of SSLVPN is 443. A device configured with SSLVPN may leak TCBs when processing an abnormally disconnected SSL session. This vulnerability can be exploited without authentication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Cisco Security Advisory: TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products

Advisory ID: cisco-sa-20090908-tcp24

Revision 1.0

For Public Release 2009 September 8 1700 UTC (GMT)

+---------------------------------------------------------------------

Summary

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

Affected Products

Vulnerable Products +------------------

The following Cisco products have a TCP implementation that is affected by these vulnerabilities. Refer to the Software Versions and Fixes section for information on fixed software.

Cisco IOS Software

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log into the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output.

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:

Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc. 
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M:

Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc. 
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>

Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link:

http://www.cisco.com/warp/public/620/1.html

Cisco IOS-XE Software

The version of Cisco IOS-XE Software that is running on a Cisco product can be determined using the "show version" command from the Command Line Interface (CLI).

Cisco CatOS Software

The version of Cisco CatOS Software that is running on a Cisco product can be determined using the "show version" command from the CLI.

Cisco Adaptive Security Appliance (ASA) and Cisco PIX

Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features:

SSL VPNs
ASDM Administrative Access
Telnet Access
SSH Access
Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
Virtual Telnet
Virtual HTTP
Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection
Cut-Through Proxy for Network Access

The version of software that is running on a Cisco ASA and Cisco PIX security appliances can be determined using the "show version" command from the CLI.

Cisco NX-OS Software

The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices can be determined using the "show version" command from the CLI.

Scientific Atlanta Products

Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities discussed in this document.

Contact information for Scientific Atlanta Technical Support can be found at the following web site:

http://www.cisco.com/en/US/products/ps10459/serv_group_home.html

Linksys Products

Customers with Linksys products should contact the following email address for questions regarding the impact, mitigation and remediation of the vulnerabilities discussed in this document:

security@linksys.com

Products Confirmed Not Vulnerable +--------------------------------

The following Cisco products are not affected:

Cisco IOS XR
Cisco IOS Software Modularity
Cisco ASA and Cisco PIX Software version 8.2
Cisco PIX Software version 6.x and earlier
Cisco Firewall Services Module (FWSM)
Cisco Multilayer Distribution Switches (MDS)
Cisco Application Control Engine (ACE) Modules and Appliances
Cisco ACE XML Gateway
Cisco Access Control Server (ACS) Solution Engine
Cisco Guard
Cisco Security Monitoring, Analysis, and Response System (CS-MARS)
Cisco ONS 15000
Cisco Content Services Switches (CSS)
Cisco Wide Area Application Services (WAAS)
Cisco Wireless LAN Controller (WLC)
IronPort C, M, S and X Series Appliances

Cisco PSIRT tested Cisco products that are based on Linux and Microsoft Windows operating systems and found that although TCP connections in a FINWAIT1 state may temporarily consume system resources the operating systems eventually clear the TCP connections. If enough system resources are consumed, a sustained DoS condition may be possible. This outcome is highly dependent on the configuration and usage of a system. For more information about how these vulnerabilities affect Microsoft Windows operating systems, please consult the following Microsoft website at the following link:

http://go.microsoft.com/fwlink/?LinkId=155978

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Multiple Cisco products are affected by DoS vulnerabilities in the TCP protocol. By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system. A system reboot may be required to restore full system functionality. A full TCP three-way handshake is required to exploit these vulnerabilities.

Network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. If the attacker can establish enough TCP connections through a transit device that maintains TCP state, device resources may be exhausted and prevent the device from processing new TCP connections, resulting in a DoS condition. If an affected device that forwards traffic (that is, routes) in a network is the target of a TCP state manipulation attack, the attacker could cause a network-impacting DoS condition.

Cisco IOS Software

All Cisco IOS Software versions are affected by this vulnerability. A device running Cisco IOS Software that is under attack will have numerous hung TCP connections in the FINWAIT1 state. The "show tcp brief" command can be used to display the hung TCP connections. The following is example output showing an attack in progress.

Cisco IOS-XE Software

All Cisco IOS-XE Software versions are affected by this vulnerability. A device running Cisco IOS-XE Software that is under attack will have numerous hung TCP connections in the FINWAIT1 state. The "show tcp brief" command can be used to display the hung TCP connections. The following is example output showing an attack in progress.

Cisco CatOS Software

All Cisco CatOS Software versions are affected by these vulnerabilities. A device running Cisco CatOS Software that is under attack will have numerous hung TCP connections in the FIN_WAIT_1 state. The "show netstat" command can be used to display the hung TCP connections. The following is example output showing an attack in progress.

Console> (enable) show netstat
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0     83  192.168.1.10.23        192.168.1.20.46056       FIN_WAIT_1
tcp        0     83  192.168.1.10.23        192.168.1.20.16305       FIN_WAIT_1
tcp        0     83  192.168.1.10.23        192.168.1.20.14628       FIN_WAIT_1
tcp        0     83  192.168.1.10.23        192.168.1.20.7275        FIN_WAIT_1
tcp        0     83  192.168.1.10.23        192.168.1.20.39559       FIN_WAIT_1

The vulnerabilities for Cisco CatOS Software are documented in Cisco Bug ID CSCsv66169.

Cisco ASA and Cisco PIX Software

All Cisco ASA and Cisco PIX Software versions are affected by these vulnerabilities. A device running Cisco ASA and Cisco PIX Software that is under attack will have numerous TCP connections in the established state. The "show asp table socket" command can be used to display the TCP connections. The following is example output showing a potential attack in progress.

FIREWALL# show asp table socket | grep ESTAB
TCP       123a8a6c  192.168.1.10:80           192.168.1.20:46181    ESTAB
TCP       123e6d54  192.168.1.10:80           192.168.1.20:29546    ESTAB
TCP       1244f78c  192.168.1.10:80           192.168.1.20:40271    ESTAB
TCP       124f8d2c  192.168.1.10:80           192.168.1.20:46599    ESTAB
TCP       12507f2c  192.168.1.10:80           192.168.1.20:5607     ESTAB

It is possible for normal traffic to cause established TCP connections to appear on Cisco ASA or PIX devices, especially VPN connections terminated to the device. In order to confirm if established TCP connections are part of an attack, administrators should use a monitoring point outside the firewall such as a packet sniffer or Netflow collection agent to examine the profile of the suspicious TCP connections and determine if an attack is occurring.

Note: The show asp table socket command was introduced in Cisco ASA and Cisco PIX Software 8.0(1).

Further detail about hung TCP connections can be found with "show conn detail all long" command. The IP address used to qualify the example below is the address of the firewall interface under attack.

FIREWALL# show conn detail all long | grep 192.168.1.10
TCP outside:192.168.1.20/62345 (192.168.1.20/62345) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
TCP outside:192.168.1.20/56268 (192.168.1.20/56268) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
TCP outside:192.168.1.20/63445 (192.168.1.20/63445) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
TCP outside:192.168.1.20/49151 (192.168.1.20/49151) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
TCP outside:192.168.1.20/57147 (192.168.1.20/57147) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0

Note: Both troubleshooting commands referenced about will display TCP connections that are terminated to a firewall interface and transiting through the firewall.

Cisco NX-OS Software

All Cisco Nexus 5000 and 7000 platforms running Cisco NX-OS Software are affected by these vulnerabilities. A Nexus 5005 or 7000 device running Cisco NX-OS Software that is under attack will have numerous hung TCP connections in the FIN_WAIT_1 state. The "show tcp connection detail" command can be used to display the hung TCP connections. The following is example output showing an attack in progress.

NEXUS# show tcp connection detail | include FIN

  State: FIN_WAIT_1
  State: FIN_WAIT_1
  State: FIN_WAIT_1
  State: FIN_WAIT_1
  State: FIN_WAIT_1

The hung TCP connection vulnerabilities for Nexus 5000 and Nexus 7000 devices are documented in Cisco Bug ID CSCsv08325 and Cisco Bug ID CSCsv08579 respectively.

The TCP state manipulation vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-4609.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsv04836 - Connections getting stuck at FINWAIT1 state

CVSS Base Score - 7.8